Can simulated attack on NYC power grid bridge the partisan divide?

By Kevin McCaney

Mar 09, 2012

Apparently hoping that there are no partisans in the foxholes, the Obama administration recently gave a group of senators a demonstration of what could happen during a cyberattack on New York City’s power systems during a heat wave.

The idea behind the March 7 simulated attack was to stress the need for cybersecurity legislation that would help the United States protect itself against such attacks, Bloomberg reported.

Cybersecurity bills have abounded in Congress in recent years, but all have stalled so far.

Representatives of the White House, Homeland Security Department, FBI and National Security Agency took part in the demonstration, the details of which were kept secret. But White House spokeswoman Caitlin Hayden told Bloomberg the exercise was “intended to provide all senators with an appreciation for new legislative authorities that would help the U.S. government prevent and more quickly respond to cyberattacks.”

Dozens of cybersecurity bills of one stripe or another have been introduced in Congress over the past several years, but none have emerged, failing for reasons ranging from partisan wrangling, to opposition to a supposed presidential “kill switch,” to plain old inaction.

Most recently, Sen. Joe Lieberman (I-Conn.) in February introduced the Cybersecurity Act of 2012, what he called a compromise, a bipartisan bill that would clarify DHS’ role in overseeing the security of privately owned critical infrastructure and reform the Federal Information Security Management Act.

Republican senators immediately objected, saying Lieberman’s bill bypassed hearings before the eight GOP-controlled committees that have some jurisdiction over cybersecurity and was too heavy with regulations on industry.

On March 1, a group of senators led by John McCain (R-Ariz.) introduced an alternative bill, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology, or Secure IT Act, which stresses voluntary information sharing between the public and private sectors but sets no requirements for securing private critical infrastructure.

The question of regulatory requirements on private companies is shaping up as the sticking point between the two bills. At a hearing March 7 before the House Energy and Commerce subcommittee on Communications and Technology, network executives said that regulation would hurt, rather than help, cybersecurity by limiting innovation.

The White House’s own cybersecurity proposal, introduced in May 2011, states that the administration prefers cooperation with industry over regulation, and proposes ways to encourage security efforts among the owners of private infrastructure.

The simulated attack on New York’s power grid apparently was an effort to emphasize the extent of the potential threat. Fears of infrastructure attacks have been heightened since the Stuxnet worm successfully attacked centrifuges used in Iran’s uranium enrichment program, and an information-gathering Stuxnet variant, Duqu, was found in the wild.

The threat of infrastructure attacks are seen as most likely coming from nation-states, such as China, which has been the source, in terms of IP addresses at least, of numerous attacks against websites in the United States. A report released March 8 by Northrop Grumman for the U.S.-China Economic and Security Review Commission states that China has developed significant cyber warfare capabilities.

But such attacks could come from other sources as well. National Security Agency Director Gen. Keith Alexander said recently that he’s worried that the hacktivist group Anonymous could develop the ability to attack the U.S. power grid within two years.